Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1885
Views
1
Helpful
6
Replies

Cisco FTD remote access VPN with ISE posture

Go to solution
FernandoDiaz1992
Level 1
Level 1

‎12-09-2022 07:09 PM - edited ‎12-09-2022 07:11 PM

Hello team,

I'm setting up a remote access VPN on FTD with ISE posture.
The problem I have is that the posture does not work and in AnyConnect I see the message "no policy server detected".

In the ISE logs I see that for each login in the VPN two authentication events are generated in the ISE. The first event has the result "secceeded" (this is fine), and the second event has the result "failed".

ISE-Log.PNG

ISE-Log succeeded.png

ISE-Log failed.png

I made a capture of the RADIUS packets that the ISE receives and I observed that in the second authentication event the firewall sends the username as if it were the authentication password.
For example:
1st authentication event: username "fernando", password "123456". (This is fine). - result "secceeded"
2nd authentication event: username "fernando", password "fernando". - result "failed".

The temporal action that I applied to solve the problem is to enable the option "If Auth Fail = CONTINUE", in the Authentication Policy of the ISE.
After applying the temporary action, the whole posture procedure works correctly.

ISE-Authentication policy.png

Does anyone know why that behavior occurs?

Labels:
Preview file
30 KB
Preview file
53 KB
Preview file
18 KB
Preview file
68 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
FernandoDiaz1992
Level 1
Level 1

‎12-12-2022 06:27 AM - edited ‎12-12-2022 06:28 AM

I solved the problem.
I was missing a check in the RADIUS configuration of the FTD.

View solution in original post

Preview file
45 KB
6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎12-10-2022 01:20 AM

@FernandoDiaz1992 what is RADIUS the configuration on the FTD connection profile? Please provide screenshot

What is the configuration of your ISE authorisation rules and profile (in regard to posture redirect)?

Which cisco guide have you followed for configuration? https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215236-ise-posture-over-anyconnect-remote-acces.html

 

 

0 Helpful

Go to solution
FernandoDiaz1992
Level 1
Level 1
In response to Rob Ingram

‎12-10-2022 07:22 AM - edited ‎12-10-2022 07:26 AM

Hi Rob,
Thanks for answering.

I attach the screenshots of the configuration.
RADIUS in FTD: radius1, radius2, radius3, aclftd.
ISE: ise1, ise2, ise3, ise4, ise5, ise6.

Preview file
45 KB
Preview file
41 KB
Preview file
36 KB
Preview file
41 KB
Preview file
40 KB
Preview file
23 KB
Preview file
23 KB
Preview file
43 KB
Preview file
42 KB
Preview file
33 KB
0 Helpful

Go to solution
FernandoDiaz1992
Level 1
Level 1
In response to Rob Ingram

‎12-10-2022 07:27 AM

Attached the packet capture in Wireshark.

Preview file
23 KB
Preview file
50 KB
Preview file
50 KB
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to FernandoDiaz1992

‎12-10-2022 07:50 AM

@FernandoDiaz1992 I've seen this before where two authentications are sent to the RADIUS server, but I cannot recall the exact issue. What is the configuration of the connection profile itself?

What version of FMC/FTD are you using?

0 Helpful

Go to solution
FernandoDiaz1992
Level 1
Level 1
In response to Rob Ingram

‎12-10-2022 07:56 AM

FTD version 7.0.1
FMC version 7.0.1
ISE version 3.1

 

Preview file
45 KB
0 Helpful

Go to solution
FernandoDiaz1992
Level 1
Level 1

‎12-12-2022 06:27 AM - edited ‎12-12-2022 06:28 AM

I solved the problem.
I was missing a check in the RADIUS configuration of the FTD.

Preview file
45 KB
Customers Also Viewed These Support Documents